How to protect a site from hacking by a hacker
With an insecure site, many troubles can happen: hacking by hackers, attacks, virus infection. Some of the most common attacks:
XSS attack. The virus code is embedded in the data sent by the user (in the unprotected fields of the registration form, subscription, order, call back, comment). A knowledgeable user can thus “break” the site, making it inoperative.
SQL injection. An action is added to the SQL query that was not originally there, without violating the structure of the previous query. This allows you to access databases, modify and download files from them.
Ddos attack. It blocks the operation of certain functions, pages or the entire resource due to the huge number of simultaneous requests to the server that it is not able to process. The site is hanging, user loyalty is falling.
There are many other ways to hack a site that has security holes. The goals of the attackers may be different, but they all boil down to the manipulation of the resources of the site and / or to obtaining material benefits. This, for example, spam mailing on the site’s database, introducing pages of other people’s content and advertising, redirecting the user to a fake site, finally, a collapse of the resource by a triumphant competitor.
Having lost control over the site, in an instant you can lose financial resources, user trust, and also get sanctions from search engines. You can protect your site as follows:
1. Create strong passwords and store them correctly
Two sides are responsible for the security of the site: owners, administrators and developers, on the one hand, and the hosting provider on which this site is located, on the other. If hosting is hacked, then a hacker can gain access to any site of this hosting. Therefore, when registering an account on a hosting, change the sent passwords and keep them away from the hosting itself.
When creating passwords:
Do not use personal information (date of birth, names, animal names, passport, phone, card)
combine letters of different case and numbers
remember that a strong password contains from 8 to 30 characters
It’s good to use online generators (for example, “Secure Password Generator”), so you get really unique and complex combinations. Use one password only in one place and change it periodically.
Site admin panel data, all logins, passwords and keys cannot be stored in a browser or FTP client, transferred in instant messengers and emails. Storing passwords on a personal PC in a text document with a name like “Passwords” is a big mistake. Ideally, all identifiers should be placed on removable media (flash drive).
2. Stay tuned for software updates.
To protect against viruses, it is necessary to update the software on time, especially for the CMS site. It is not recommended to use free “hacked” versions of CMS for the same reason: firstly, these are always outdated versions of the program, secondly, you don’t know what was “wired” into it during hacking, and thirdly, you won’t be able to Take advantage of the technical support of this CMS.
3. Install security plugins and antivirus
For additional site protection, there are special CMS plugins that are quite easy to download and use (iThemes Security, Wordfence and others). The best and most popular of them allow you to track in time what the user enters on the site, protect against spam and prevent XSS attacks.
Use anti-virus online services (Antivirus-alarm, VirusTotal, Sucuri) to check the resource for viruses and identify many other problems on the site.
You can also contact the services of a webmaster for an emergency virus scan:
in Yandex Webmaster – this is the tab “Diagnostics” – “Security and violations”
on Google Webmaster, open “Security Issues”
4. Make backups of the site regularly
This is the most important measure to protect the site, which can not be ignored under any circumstances. In case of serious problems, you can always recover data and fix the security flaws.
You can create a copy of the site through the hosting control panel or using plugins (for example, for WordPress it is BackUpWordPress, BackupBuddy and others). Save the results to your computer or the cloud.
The best solution is to set up automatic copying at least 2 times a month. Hosting technical support can help with the configuration.
Also back up each CMS update.
5. Secure connection
Get an SSL certificate that will provide a secure connection between the server and the web client. All data will be transmitted over a secure https connection in encoded form. To decrypt, you need a special key that will greatly complicate the work of hackers.
SSL certificates can be either free or paid. The choice depends on the importance of the confidential data in the site database. Most hosting providers provide the ability to install a free certificate in the admin panel. For online stores, you will most likely need a paid certificate.